The EU-US Privacy Shield – the next steps from here?

October 2016 | SPOTLIGHT | DATA PRIVACY

Financier Worldwide Magazine

October 2016 Issue

On 12 July 2016, the European Union Commission officially adopted the EU-US Privacy Shield, representing the culmination of a long process to address the shortcomings of the EU-US Safe Harbor framework which was invalidated in October 2015 by the ECJ.

This follows the approval of Privacy Shield on 8 July 2016 by the Article 31 Committee (originally established under the Directive 95/46/EC), which includes representatives of the EU Member States. While the European Union Commission’s adequacy decision is immediately effective, US-based companies will be given until 1 August 2016 to review the new framework’s requirements before being able to register and self-certify their compliance with Privacy Shield.

For those US-based companies that do register in August and September 2016, these companies will be able to take advantage of a nine-month ‘grace period’ (i.e., through April 2017) to address their compliance-related requirements with third parties relative to adherence with the new framework.

The European Commission has proposed that the new Privacy Shield framework be deemed adequate to enable transfers of personal data between EU Member States (and presumably the three European Economic Area members, i.e., Iceland, Liechtenstein and Norway) and the United States. The adequacy decision by the Commission, however, does state the following: “The EEA Joint Committee has to decide on the incorporation of the present decision into the EEA Agreement. Once the present decision applies to Iceland, Liechtenstein and Norway, the EU-U.S. Privacy Shield will also cover these three countries and references in the Privacy Shield package to the EU and its Member States shall be read as including Iceland, Liechtenstein and Norway”.

The Privacy Shield framework is described by the US Department of Commerce to embody “a renewed commitment to privacy by the US and the EU, and to ensure it remains a living framework subject to active supervision, the Department of Commerce, the FTC and EU DPAs [Data Protection Authorities] will hold annual review meetings to discuss the functioning of and compliance with the Privacy Shield”.

The stated aim is to strengthen cooperation between the FTC and EU DPAs, providing independent, vigorous enforcement of the data protection requirements set forth in the Privacy Shield framework. EU individuals will have access to multiple avenues to resolve concerns – at no cost to the individual – and will have an option to work with their local (national) DPA to resolve complaints.

Additionally, the Privacy Shield framework includes certain safeguards and transparency obligations relative to US governmental access to personal data. For the first time, the US government has provided the EU with written commitments including an assurance from the Office of the Director of National Intelligence that access of public authorities to personal data for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.

The Privacy Shield framework includes significant advancements to improve transparency regarding personal data use, strengthen the protections provided by participants, and inform EU individuals more comprehensively about their rights under the programme. But it is not without its critics. There are concerns about unfettered access to consumer data by intelligence and law enforcement officials. And the fact that the programme is subject to annual reviews has led to questions over whether the law could change on a regular basis, or, as happened last autumn, get struck down altogether.

To join the Privacy Shield, a US-based company will be required to register and self-certify to the US Department of Commerce and publicly commit to comply with the requirements of the new framework. These requirements for such participating companies (participants) include, but are not limited to, the issues outlined below.

Notice. Participants must review, update and publicise their privacy policies online and declare their commitment to comply with Privacy Shield and the specific notice requirements of the new framework.

Dispute resolution. EU individuals whose data is being processed by participants may lodge a complaint directly with a participant, which must respond to the complaint within 45 days; participants must provide, without cost to the EU individuals, independent recourse mechanisms to investigate and expeditiously respond to such complaints; participants must commit to binding arbitration at the EU individual’s request to address complaints that have not otherwise been resolved through the processes set forth in the framework

Cooperation with Department of Commerce. Participants must cooperate and respond promptly with the US Department of Commerce to resolve complaints submitted by EU individuals (which can also be submitted by such individuals to their local data protection authorities, or DPAs).

Purpose limitation. Similar to the Safe Harbor framework, participants must limit personal information to that which is relevant for processing and pertains to the original purpose for which it was collected (absent subsequent consent by the individual).

Onward transfers. Participants must enter into contracts with third-party controllers and processors, regardless of location, to ensure adherence to the Privacy Shield framework and principles including the consent provided by the EU individual relative to the processing of his or her personal data.

Access. EU individuals have a right to know if participants are processing their personal data and modify, correct or delete it under certain circumstances (such as data being inaccurate or being processed in violation of the requirements of Privacy Shield).

Once a US-based company commits to the Privacy Shield framework, the commitment will be enforceable under US law and will remain enforceable regarding any personal data processed during the self-certification period, even if a company is no longer a participating company.

Best practice guidelines

Although the EU Commission’s adequacy decision represents a milestone achievement toward a more unified system of laws and regulations around the processing and protection of personal data between the EU and the US, detractors and sceptics remain vocal about the shortcomings of the new framework and it will likely be challenged by activists and ruled upon by European Courts (including the ECJ).

Other EU-US data protection and compliance-related issues to be addressed will also focus on the impacts to Privacy Shield and compliance in general resulting from ‘Brexit’ and the upcoming implementation of the EU General Data Protection Regulation in May 2018. Companies processing personal data of EU citizens need to be undertaking privacy impact assessments to analyse what personally identifiable information is collected, used, processed and shared, understand and appropriately remediate compliance gaps, and make intelligent risk-related decisions with the next three-year horizon in mind. Organisations conducting data transfers involving personal data from the EU are tasked with identifying and implementing a robust plan with built-in contingencies if the horizon should suddenly change.

In addition, the Article 29 Working Party has confirmed that the use of model contracts or binding corporate rules can still be used for transfers of personal data from the EU to the US companies involved in the transfer of personal data from the EU to the US should review their policies and procedures in light of these new developments especially regarding the new General Data Protection Regulation, as it will impact not only companies that operate in the EU, but that do business with EU consumers.